I have an app that is run from a compiled DLL on a web server. I need to do some Single Sign On (SSO) integration with the app, and the only way I can "inject" functionality, is to modify an external JavaScript file that gets referenced.
In the JavaScript file are some code blocks to set cookies with the session ID of that App. I tried adding more code to add more cookies so I could read the cookies from another sub domain, but the cookies don't get set!
I call the exact same cookie set function with a different name and it doesn't work. I debugged with FireFox and watched the JavaScript code get called for my new cookies, but still, no new cookies!!! I even see the existing cookies being updated!!! What gives!
Can anyone save my sanity!?!?!?
Here is the cookie setting function:
function setCookie (name,value,expires,path,domain,secure)
{
document.cookie = name + "=" + escape (value) +
((expires) ? "; expires=" + expires.toGMTString() : "") +
((path) ? "; path=" + path : "") +
((domain) ? "; domain=" + domain : "") +
((secure) ? "; secure" : "");
}
And here is the code that calls it:
var twoHours = 1800*1000;
var expDate = new Date();
var secondExpire = expDate.getTime();
expDate.setTime(expDate.getTime() + twoHours);
setCookie("mysession",123456789,expDate,"/",null,false);
setCookie("mylastConnect",secondExpire,expDate,"/",null,false);
Try setting the domain to ".exemple.com". This should make the cookie accessible for all subdomains of exemple.com (but not to http://exemple.com, you'd have to put a second cookie).
Also check your browser's cookie settings, but I assume you've done that.
Related
I have built a bunch of Django websites at a single domain:
example.com
site1.example.com
site2.example.com
site3.example.com
They are supposed to be completely independent — used by different people for different purposes.
However cookies set by example.com are given priority by Django, and values set by site1.example.com, site2.example.com etc. are ignored if the parent domain has set a cookie with the same name.
How it works:
When the first page is loaded, it sets a cookie so the server knows to send a computer page or a mobile page with the next request.
The Django program builds the correct version based on the cookie value.
When site1.example.com loads, it sets a cookie asking for the mobile version. But then the Django program sees the value set by example.com and ignores the correct cookie.
So, I need a way to do one of the following:
prevent site1.example.com from reading the cookie of example.com
differentiate in Django the domain associated with the cookie so I can tell that the value is wrong
find a way to set a parent domain cookie in Javascript that makes it inaccessible to subdomains (I'm not using www)
If I can't find an elegant solution, I will likely end up changing the cookie name to vary with the domain name.
I know that I could use the session framework, but apart from this particular issue, everything works great. I would really like to avoid modifying my existing system, though obviously I will if I have to.
[update] Here is the cookie-setting function:
function setCookie(cname, cvalue, exdays) {
var domain = window.location.hostname;
if (exdays > 7) exdays = 7; // max in Safari
var d = new Date();
d.setTime(d.getTime() + (exdays*24*60*60*1000));
var name = cname + '=' + cvalue + '; ';
var expy = 'expires=' + d.toUTCString(); + '; ';
var domn = '; domain=' + domain + '; ';
var path = 'path=/; ';
var secu = 'samesite=lax; secure;';
var complete = name + expy + domn + path + secu;
document.cookie = complete;
}
Since you say the websites are supposed to be completely independent the 3rd solution you propose seems most sensible. You should not be setting cookies in such a way that they are accessible by subdomains. Currently you are specifying the domain in the cookie, you should be skipping the domain which would mean the cookie would only be sent for the current domain (At least in modern browsers, IE does not follow this specification). If a domain is specified in the cookie it means that the cookie would also be used for the subdomains.
As mentioned in RFC 6265 - section 4.1.2.3:
If the server omits the Domain attribute, the user agent will return
the cookie only to the origin server.
Hence your cookie setting function should be like the following:
function setCookie(cname, cvalue, exdays) {
// Domain should not be set unless cookie needs to be accessed by subdomains
// var domain = window.location.hostname;
if (exdays > 7) exdays = 7; // max in Safari
var d = new Date();
d.setTime(d.getTime() + (exdays*24*60*60*1000));
var name = cname + '=' + cvalue + '; ';
var expy = 'expires=' + d.toUTCString(); + '; ';
// Domain should not be set unless cookie needs to be accessed by subdomains
// var domn = '; domain=' + domain + '; ';
var path = 'path=/; ';
var secu = 'samesite=lax; secure;';
var complete = name + expy + path + secu;
document.cookie = complete;
}
As a temporary fix, I added some code to my setCookie function:
var domain = window.location.hostname;
deleteParentCookieIfNecessary(name, domain);
deleteParentCookieIfNecessary contains:
function deleteParentCookieIfNecessary(name, domain){
var parts = domain.split('.');
if (parts.length > 2){ // on subdomain
var domain = parts.slice(-2).join('.');
document.cookie = cname + '=;domain=.' + domain + ';path=/;max-age=0';
}
}
The result is that when the cookie is set, if the url is a subdomain then the parent-domain's cookie of the same name will be automatically deleted.
The following code works fine in FF:
var date = new Date();
date.setTime(date.getTime() + (1 * 24 * 60 * 60 * 1000));
expires = "; expires=" + date.toGMTString();
document.cookie = "c_odi" + "=" + $('#orderdetailid').val() + expires + "; path=/";
But not in Chrome. When I'm using Chrome and I do document.cookie in the console to view cookies, the c_odi cookie isn't there. But when I do the same in FF, it is. How can we make cookies work in Chrome? The cookies that were added by PHP are fine, but not this one in JavaScript, and I do need to add this cookie via JavaScript at this point.
This problem can occur if You open Your code as file:///C:/.../xxx.html instead of http:// localhost/xxx.html. Chrome doesn't save cookies (because there is no domain and no http communication) in file:// case.
Few links of interest:
https://gist.github.com/shellscape/02d3a97031e7afdf99d2642f93d59486
Setting Cookies using JavaScript in a local html file
https://bugzilla.mozilla.org/show_bug.cgi?id=536650
https://datatables.net/forums/discussion/46255/save-state-to-cookie-in-file-protocol
Chrome doesn’t store cookies from the pages which are loaded from local file system. For example if you are accessing a HTML file in chrome browser from local file system(ex: file:///C:/Users/deepak.r/Desktop/test.html), cookies are not supported.
Try to replace this line:
document.cookie = "c_odi" + "=" + $('#orderdetailid').val() + expires + "; path=/";
with this one:
document.cookie = "c_odi" + "=" + escape($('#orderdetailid').val()) + expires + "; path=/";
You would have to use unescape when you try to read value, but you'll menage when time comes :)
Seems like it's working for me:
http://jsfiddle.net/rQEnF/3/
At least the cookie shows up in dev tools, as you can see. However, I replaced the jQuery selector $('#orderdetailid').val() with a constant value, as you can see. Is there something wrong with that value or the element containing the value maybe?
Make sure your address bar url matches the domain. In Chrome if you set domain=www.site.com and then test your page in the browser missing out the www. it won't work.
When creating a cookie using javascript using document.cookie
document.cookie = name + "=" + value + "; " + expires + ";path=/";
will the domain be populated or do I need to specify it?
You can only create cookies for the domain that your script is running under. So yes, the browser will set the cookie for the proper domain.
It will be populated.
You can run this in the console and then look at the cookies and Domain will be populated.
document.cookie = "val=val;Session;path=/";
I some Javascript code used on the web and also in an Android app using Phonegap.
At first, my code was set up to default to using local storage, and if there is no local storage, then default to cookies.
However, in a few contexts (too complicated to go into here), that is not working, so I want to see if I can go the other way: default to using cookies, and if cookies aren't possible, use local storage.
Really, it's only Android that is having trouble with cookies, so basically if my code is being used on an Android device, then I want to switch to local storage.
In any case, here is the code for setting cookie/local storage data that I have, but it's not working:
function setCookie(c_name, value, expiredays)
{
var exdate = new Date();
exdate.setDate(exdate.getDate() + expiredays);
document.cookie = c_name + "=" + escape(value) +
((expiredays === null) ? "" : ";expires=" + exdate.toUTCString());
if(document.cookie.length < 1 && typeof localStorage != "undefined")
{
localStorage.setItem(c_name, value);
}
}
I think the problem might be where it says document.cookie.length < 1. Is that a reliable way of seeing if cookies are being set?
Bottom line: How can I reliably default to setting cookies, and use local storage as an alternative if cookies aren't present?
I am trying to use document.cookie in javascript in an alert(for an experimental purpose). Initially, it was displaying the cookie's fine, all of sudden its displaying "style_cookie=null".
I was doing this in phpbb3. I am trying to add a custom page inside it and I am in the process of building it. So the cookie setter is phpbb3.
I am not sure whats going wrong here? Is it related to cookie time-out or cookie expiration? I am confused, some help would be appreciated.
The code looks like the following,
alert(document.cookie);
Thanks,
Abi
I got this thing working, for Android 2.2, javascript's document.cookie works fine, just make sure that in your Webview...javascript is enabled like so:
yourWebViewVariable.getSettings().setJavaScriptEnabled(true);
for Android 3.1 just add this to your java file onLoadInit:
CookieManager.setAcceptFileSchemeCookies(true); //This is the line that specifically makes it work so the other lines is optional
CookieManager cookieManager = CookieManager.getInstance();
cookieManager.setAcceptCookie(true);
cookieManager.acceptCookie();
Also, here's a few links that I found while I was trying to figure this error out, this could be helpful for others that wants to Send variables from Javascript to the Webview(Native Android Language) and Vise versa.
http://android-er.blogspot.com/2011/10/run-android-java-code-from-webpage.html
http://android-er.blogspot.com/2011/10/call-javascript-inside-webview-from.html
Thanks and Goodluck!
It can be caused by several things:
cookie expiration (if you don't set the expiration, the cookie is per session)
http only - you can tell browser not to send the cookie value
cookie scope - cookie can be valid for some subdomains or subURLs only
Note that if you want to list all cookies, you can use another tools. For example, in Firefox, you can right click -> View Page Info -> Security -> View Cookies.
have you test your script over http or just call a HTML file? cookie send over http, so you must call it inside web server like (http://localhost/test_cookie.html)
the following two functions are safe to use to set or get a cookie and tested also
function setCookie(c_name, value, exdays)
{
var exdate = new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value = escape(value) + ((exdays == null) ? "" : "; expires=" + exdate.toUTCString());
document.cookie = c_name + "=" + c_value;
}
function getCookie(c_name)
{
var i, x, y, ARRcookies = document.cookie.split(";");
for (i = 0; i < ARRcookies.length; i++)
{
x = ARRcookies[i].substr(0, ARRcookies[i].indexOf("="));
y = ARRcookies[i].substr(ARRcookies[i].indexOf("=") + 1);
x = x.replace(/^\s+|\s+$/g, "");
if (x == c_name)
{
return unescape(y);
}
}
}
for more information visit this page in W3Schools